In this article, we'll discuss how degoogled phones and tablets receive software updates to the operating system, as compared to a stock Android device. We'll discuss terminology, sources of updates, and which components are updated. For the purposes of our discussion, the term "software update" will be used broadly to include any security patch, bug fix, or feature enhancement. We'll also explain differences between terms like firmware, vendor software, open-source and proprietary software. So let's get into the details...
How Important are Updates to Privacy and Security?
I'll argue that the importance of software updates are relative, based on the use case of the device.
If we consider updates that are classified as "security" related, we'd generally agree they are critically important because they patch known vulnerabilities. It can be argued that importance is based on a user's threat model and what they do with the device. Let's consider two cases: An "ordinary" person has no reason to believe anyone wants to hack their phone, and does not use their device for banking or shopping but only to make casual phone calls and check the weather. This person may decide that an older smartphone that no longer receives security updates is acceptable. On the other hand, a person in a sensitive career field like politics or journalism who thinks they may be targeted, and uses their smartphone for banking, shopping and communicating sensitive information insists that their device has the latest security patches. The former may feel comfortable owning an older device running LineageOS and the latter may choose the newest Pixel hardware running GrapheneOS.
When we add the bug fixes and feature enhancements that are lumped in with security updates, most users will agree that a software update is important and we welcome it as soon as possible. Even still, some of us may choose to use older smartphones and tablets and may go years without any problems. So who is right? Should everyone insist on devices that receive the latest and greatest software? I say this so that you will think about your particular case, develop your personal threat model, do your research and then make an informed decision.
To understand what goes into Android smartphone software updates, let's start with a few basic definitions.
- Firmware - A specific class of computer software that provides low-level control for a device's hardware
- OEM - The original equipment manufacturer is a company that creates a part or subsystem in another company's product. For example, Qualcomm is the OEM of the baseband modem, a subsystem in a modern Android smartphone.
- Vendor Software - A group of proprietary software such as device drivers that is required for system functionality. Firmware that is loaded into memory by the operating system can be considered a type of vendor software.
- Bootloader - Also called boot manager or bootstrap loader, it is a small piece of software that manages the boot sequence and starts the processes of an operating system on a computer.
- Kernel - Software program at the core of the operating system that controls the interaction between subsystems, specifically controlling all hardware resources and input/output requests from software.
- AOSP - Overseen by the Open Handset Alliance (OHA), a google-led coalition, the Android Open Source Project (AOSP) guides development of the open source Android mobile platform. It consists of the operating system, middleware, and system applications.
- OTA Updates - A way of receiving security updates over-the-air; updates are pushed from the developer automatically to the device.
Which Components are Updated?
Generally there are four basic categories of software that are updated on an Android device.
- Proprietary Blobs - In the context of open source software, these are the proprietary binary executables, also called binary blobs, that can only be changed by the OEM. They are required for functionality of certain hardware components. For instance on an Android device, the camera, eSim, and graphics drivers are examples of blobs. Software loaded in nonvolatile flash memory outside of the OS is considered firmware, not a blob.
- Firmware and Bootloader - Proprietary software not loaded by the operating system into memory includes device firmware such as the baseband modem and the bootloader.
- Operating System Platform - The open source AOSP base code and all code that the developers add and compile making their unique operating system.
- Kernel - As defined above, the kernel is the core of the operating system that controls interaction between subsystems; and in the case of Android software it is open source.
How Each Operating System is Updated
LineageOS has a built-in updater application that can be accessed in the Settings app. It acts like a stock Android device, receiving OTA updates from an official LineageOS server that pushes the official build to each device. Each update of LineageOS is a complete image of the entire operating system, instead of an incremental update.
OTA software updates are pushed weekly. The frequency of proprietary blob and firmware updates depends on the OEM, and are folded into the official builds by the maintainers. There are weekly builds available on the LineageOS website available for download and installation using adb sideload.
LineageOS depends on volunteers called "maintainers" that are responsible for a device or group of devices. Once the LineageOS developers release a major version update it is the responsibility of the device maintainers to incorporate the code changes into the builds for their specific device. The maintainers modify kernel software unique to their device's hardware. Because LineageOS developers are a community of volunteers, updates may take longer to be released. Also, since maintainers are volunteers that generally work in their spare time, some devices may become unsupported for no apparent reason. Finally, keep in mind there are many more devices supported by LineageOS than with the other operating systems.
CalyxOS also has a built-in updater application in the Settings app that receives OTA updates from CalyxOS servers. They provide monthly updates for all supported devices. Even after OEM security and firmware updates end, CalyxOS provides extended updates to operating system and kernel software. CalyxOS developers take the Google security updates released on the first Monday of each month, and merge that with their software changes.
Since CalyxOS is a non-profit organization with dedicated developers, updates tend to be consistent and timely. A changelog is available on each device and on the CalyxOS website.
GrapheneOS, like the others, has a built-in updater application that automatically checks for system updates every four hours when an internet connection is available. Just like stock Android, the updates are installed automatically in the background followed by a notification to reboot the device.
Unlike LineageOS, GrapheneOS releases incremental updates of just changes, rather than an a whole OS build. GrapheneOS tends to provide updates quickly and consistently. A changelog is available on their website under the release section of each device.
What Happens after OEM Firmware and Security Updates end?
Keep in mind that even after OEM firmware and security updates are no longer updated, developers may continue to support the operating system, apps, and kernel.
For several years, the industry standard was 3 years of support by manufacturers. Recently, to compete with Apple, Google has extended support of security updates to 5 years starting with the Pixel 6. So what happens on a de-googled phone, or any smartphone, after security updates end? Known vulnerabilities (if any) in firmware and the operating system become an attack vector for malicious actors. How often someone is hacked because of this depends on many factors and is difficult to quantify. The default answer, especially by software developers, is to not take any chances and upgrade your hardware to a device that receives updates. Although outside the scope of this article, knowing how attacks are deployed, to which subsystem, and how effective they are will help us make the best decision.
We recommend anyone who uses their smartphone for banking, shopping, or communicating sensitive information to choose a device that will receive security updates for at least a full year. For anyone who uses a phone for casual purposes and not for work, or as a backup device, or for emergencies when traveling, an older device may function perfectly for years.
As mentioned above, it will benefit each user to analyze their unique threat model, then make an informed decision that includes the information in this article. How, what, and when software updates are made available should be carefully considered before purchasing a de-googled privacy phone or tablet. If you have questions about this topic, feel free to contact us.